Cyber Posture

CVE-2025-26702

Medium

Published: 11 March 2025

Published
11 March 2025
Modified
19 March 2025
KEV Added
Patch
CVSS Score 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0020 41.2th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

Security Summary

CVE-2025-26702 is an Improper Input Validation vulnerability in ZTE GoldenDB that allows Input Data Manipulation. The issue affects GoldenDB versions from 6.1.03 through 6.1.03.04 and was published on 2025-03-11. It is associated with CWE-20 and carries a CVSS v3.1 base score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Exploitation requires high privileges (PR:H) and can be performed over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Attackers with privileged access can trigger the vulnerability within the unchanged scope (S:U), resulting in high impact to availability (A:H) such as denial of service, while confidentiality (C:N) and integrity (I:N) remain unaffected.

Mitigation details are available in the ZTE security bulletin at https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/1820079027271819342.

Details

CWE(s)
CWE-20NVD-CWE-noinfo

Affected Products

zte
goldendb
6.1.03 — 6.1.03.05

MITRE ATT&CK Enterprise Techniques

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Improper input validation allows privileged network attackers to manipulate input data causing application/system crash and denial of service, directly mapping to application or system exploitation for endpoint DoS.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

References